Is recruiting ready for European privacy law?

27 Apr 2018

One of the hottest topics at the Sourcing Summit Germany (SOSUDE) in Munich this week was the General Data Protection Regulation (GDPR). The new law harmonizes and strengthens data privacy laws across European Union member states. It will enter into effect on May 25.

While companies that collect any kind of personal data on European subjects have had two years to get their houses in order to comply with GDPR, almost half aren’t prepared. The large European job boards and recruitment tech companies we’ve talked to say they’ll be ready come next month, but one area that’s unclear is how incoming privacy rules affect active sourcing.

Among other things, GDPR strengthens a user’s right to know and control who stores his or her data. In that regard, it’s straightforward for a job site to obtain consent from a candidate who’s adding a CV to its database. But what about when a recruiter (or automated crawler) scrapes candidate data from social media sites to build a profile without the candidate’s knowledge?

Many in the SOSUDE audience were active sourcers who specialize in hard-to-find STEM talent. They rely on Google, business networks like Xing and LinkedIn, and an ever-growing range of tools to mine candidate data from anywhere on the internet.

Guillaume Alexandre (LinkedIn profile) of Gates Solutions, for example, showed how recruiters can use Data Miner — a Google Chrome extension — to scrape data from any webpage and pull it into a spreadsheet (example: mining data from a Xing Events page yields the names of a group of Java developers in northern Germany).

GDPR-complaint tools

German HR expert and blogger Marcus Reif told the SOSUDE audience that this kind of data collection (identifying candidates without their consent) is allowed under GDPR. But before the data can be used in any way, the subjects have to be notified that their data will be used, where it will be stored, who will be working with it and when it will be deleted. They have to provide consent, he said.

He also said many Google Chrome extensions, and other plug-ins that sourcers rely on, are not GDPR-compliant because they present security risks. “My recommendation is to use only plug-ins that cost money and are compliant. Stay away from the free ones.”

Protecting the security of candidate data is also part of GDPR compliance. To that end, Reif said recruiters should not share candidate data with each other through messaging apps like WhatsApp, and they should take down contact forms on sites that aren’t SSL-certified.

The new regulations still present gray areas. For one, firms like TalentWunder that assemble databases of profiles from publicly available sources and sell access to them, do not save this data but cache it, said Reif. GDPR technically doesn’t cover caching, but this could change if cases emerge that challenge the approach.

GDPR isn’t an apocalypse for active sourcing, he stressed. But recruiters have to pay attention to getting regular opt-ins from candidates, and early in the process.

Privacy by design

GDPR compliance is the top priority for Hello Talent, a platform to build talent pools and maintain contact with prospective candidates, the company told the AIM Group. “We are building a tool that allows clients to notify candidates when they pull their information into the talent pool with an opt-in notice,” Dustin Robinson (LinkedIn profile), digital content manager at Hello Talent’s parent company TalentSoft, said. The site is also adding a feature that lets users see what data Hello Talent stores on them, a requirement of GDPR.

Trueredo, a German job portal based on crowdsourced referrals that launched last year, baked GDPR compliance into its model from the beginning in what’s known as “privacy by design”. The site obtains multiple opt-ins from crowdsourcers and those being referred, founder Hansjoerg Beger told us.

Workshape, a site where software engineers create profiles using visual cues and see matches to open jobs, also built strict privacy controls into the system. It didn’t do this with data privacy laws in mind, but rather in an effort to create an exclusive place for developers to interact with hiring managers from companies (in other words, no headhunters allowed), founder Hung Lee (LinkedIn profile) told us. “It’s designed to be safe space where nobody can scrape their data.”

Share

Kate Rodriguez

Kate Rodriguez covers the German market for AIM Group. She is a freelance business writer with an extensive background in public policy, business consulting and marketing. Originally from the U.S., Kate is now based in Munich.